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1  Introduction 

In  this  note  we  consider  a  natural  propositional  logic  of  knowledge,  common 
knowledge,  and  branching  time  which  is  appropriate  for  distributed  systems. 
We  show  that  this  language  may  be  interpreted  in  Propositional  Dynamic 
Logic  with  Converse  (PDLC)  [St81,Pr8l).  This  result  makes  the  relation¬ 
ship  between  our  protocol  model  and  general  Kripke  models  precise  (cf. 
[FI85])  as  well  as  showing  that  PDLC  already  suffices  for  a  certain  amount 
of  reasoning  about  knowledge  in  distributed  systems.  It  was  already  known 
that  the  satisfiability  problem  for  propositional  logic  of  branching  time  is 
EXPTIME  complete,  cf.  [EH85].  As  a  corollary  of  our  result  we  show  that 
satisfiability  for  propositional  logic  of  branching  time  remains  EXPTIME 
complete  with  the  addition  of  any  combination  of  knowledge  and  common 
knowledge  operators.  (This  last  result  has  been  independently  obtained  in 


2  Definitions 

We  define  Propositional  Temporal  Knowledge  Logic  (PTKL)  as  follows.  Let 
PROP  =  {Si,S2,...}  be  a  set  of  propositional  symbols.  Let  PART  = 
{ 1, 2, . . . ,  n},  n  >  2  be  a  finite  set  of  participants.  Let  i  =  $(PART,  PROP), 
the  formulas  of  PTKL,  be  the  smallest  set  of  strings  containing  PROP  and 
closed  under  the  following  rules; 

1.  If  a,  ;3  €  $  then  so  are  ->a  and  a  A 

2.  If  a,,?  €  $  then  so  are  Fa,  Ga  and  (oiU0). 

3.  If  a  6  $  and  H  C  PART  then  Cna  e 

The  intuitive  meaning  of  the  temporal  operators  is  as  follows:  Y a  means 
that  a  holds  at  every  next  step.  Ga  means  that  a  holds  at  all  points  in  the 
future.  (aU0)  means  that  a  is  true  and  remains  true  until  0  becomes  true. 

We  adopt  abbreviations  for  the  dual  operators:  Xa  =  -<Y ->a  meaning 
that  a  holds  at  some  next  step,  and  Fa  =  -'G-'a  meaning  that  a  holds  at 
some  future  step. 

For  H  a  singleton,  H  =  {i},  v/e  adopt  the  abbreviation  if, a,  read  “t 
knows  a,”  for  G^a.  The  intuitive  meaning  is  that  a  is  true  in  all  conceiv¬ 
able  situations  that  are  consistent  with  i’s  local  view.  In  the  more  general 
case  CffO  is  read,  “It  is  common  knowledge  among  the  members  of  H  that 
a.”  This  is  precisely  defined  below.  See  also  Fact  2.1  for  an  equivalent 
formulation. 

The  semantics  of  PTKL  are  defined  using  a  kind  of  Kripke  model  called 
a  distributed  protocol.  See  [FI85]  for  a  detailed  discussion  of  this  model. 
Let  PROP  be  fixed.  Define  a  protocol  to  be  a  tuple  ?  =  {n,Q.,I,T,ir). 
PART=  {1, . . . ,  n}  b  a  set  of  participants,  Q  is  a  set  of  local  states,  and  Q" 
is  the  set  of  n-tuples  called  global  states.  I  C  Q"  is  a  set  of  initial  global 
states,  the  function  ir  :  Q"  x  PROP  —  {0, 1}  evaluates  the  propositional 
letters  at  each  global  state,  and  r  C  Q"  x  Q"  is  the  next  move  relation  on 
global  states.  Let  r*  be  the  reflexive  transitive  closure  of  r  and  define  the 
reachable  global  states  in  P  to  be 

Rp  =  {q  €  Q"  I  for  some  s  €  /,  ?)  6  r* }  . 

Intuitively,  a  global  state  q  is  reachable  if  there  is  a  r-path  s,pi,. . .  ,pr-\,q 
starting  in  an  initial  global  state  s  and  ending  in  q. 
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Giv»’  a  protocol  P  =  (n,Q,/,T,ir),  a  global  state  q&  Rp,  and  a  PTKL 
formula  a  €  $,  we  define  the  satisfaction  relation  (P,?)  }=  a  in  the  usual 
way  by  induction  on  the  complexity  of  a: 

1.  For  S  €  PROP,  {P  ,q)  \=  S  jr(9,S)  =  1. 

2-  {P,q)  \=Y0  (for  all  p)(  if  (q,p)  €  r  then  (P,p}  |=  /?). 

3.  (P,q)  G/9  •»  (for  allp)(  if  (q,p)  €  r*  then  (P,p}  )=  0)- 

4.  (P,5)^=^{7Tf  (for  all  n  >  0)(for  allpo,pi,...,Pn)(if  (?  =  po  and 

for  i  =  1, . . . ,  n,  (pi-i  ,p,)  €  r  and  (P,p,)  h  --Tf)  then  {P,p„)  0). 

The  only  unusual  case  occurs  when  a  =  C[{0.  For  i  <  n,  let  (g),-  denote 
the  i*'*'  component  of  q.  Define  the  equivalence  relation  ~  on  Rp  by 

p^q  ^  (p)i  =  (q)i . 

For  =  {I'l, . . . , iV},  let  the  equivalence  relation  ~  be  the  transitive  closure 
of  U  ~  U . . .  U  .  Finally  we  define: 

5.  {P,q)  Ch0  ■<=>  (for  all  p)(if  p~  g  then  {P,p)  ^  0)  . 

From  this  definition  it  is  straightforward  to  prove: 

Fact  2.1  [FI85J  The  following  two  statements  are  equivalent  for  any  set 
G  C  PART; 

d-  {P,p)  )=  Cca. 

2.  (Vr  >  0)(Vii, . . . ,  ir  €  G){{P,p)  |=  K,. K.,  . . .  K.^a). 

3  Main  Results 

In  Theorem  3.1  below,  we  give  an  interpretation  of  PTKL  in  Propositional 
Dynamic  Logic  with  Converse  (PDLC)  [StSl].  It  then  follows  using  Pratt’s 
EXPTIME  decision  procedure  for  PDLC  [Pr8l]  that  the  satisfiability  prob¬ 
lem  for  PTKL  is  solvable  in  EXPTIME.  This  is  Corollary  3.7.  We  then 
observe  in  Theorem  3.8  that  if  a  PTKL  formula  is  satisfied  by  some  proto¬ 
col  in  which  at  least  two  participants  are  mentioned,  then  it  is  satisfied  by 
a  protocol  in  which  the  only  participants  are  those  explicitly  mentioned  in 


the  formula.  Thus,  allowing  extra  participants  with  “hidden”  state  does  not 
increase  the  power  of  the  system. 

We  assume  that  the  reader  is  familiar  with  Propositional  Dynamic  Logic 
(PDL),  see  e.g.  (FL79].  PDLC  is  PDL  plus  the  convese  operator:  for  each 
program  a  we  let  a~  denote  its  converse. 

Theorem  3.1  There  is  a  simultaneously  logspace  and  time  0{n^)  com¬ 
putable  mapping  f  from  formulas  of  PTKL  to  formulas  in  PDLC  such  that 
for  all  a  &  a  is  satisfiable  if  and  only  if  /(a)  is  satisfiable. 

The  proof  is  contained  in  three  lemmas.  First  we  define  the  mapping  / 
and  show  that  it  is  easily  computable.  Next  we  show  that  if  a  is  satisfiable, 
then  so  is  f{a),  and  finally  we  show  the  converse,  that  if  /(a)  is  satisfiable, 
then  so  is  a. 

Let  PART  =  {1, . . .  ,n}.  The  atomic  program  symbols  we  will  need  are 
{<,  Cl, . . .  ,e„}.  Symbol  t  will  correspond  to  a  r  step  and  the  e,’s  together 
with  their  converses  will  correspond  to  ~  links.  The  function  /  is  defined 
inductively  as  follows: 

1.  For  S  €  PROP,  f{S)  =  S  . 

2.  /(->o)  =  ->/(a);  /(a  A0)  =  /(a)  A  f{0)  . 

3.  /(Pa)  =  [l|/(a);  /(Ga)  =  [t*]/(a); 

f(aU0)==[{t;^f(0mf{a)  . 

4.  For  H  =  {m,..  /(Gfftt)  =  ((e,-,  Ue“  U  ...Ue,,  \Je~Y]f{a). 
Lemma  3.2  /  is  simultaneously  logspace  and  time  0{n^)  computable. 

Proof  Straightforward  using  standard  techniques.  I 

Lemma  3.3  Given  a  protocol  P  =  {n,Q,  ,  there  is  a  PDL  structure 

h(P),  whose  worlds  are  the  reachable  global  states  of  P,  such  that  for  any 
PTKL  formula  a  and  reachable  global  state  p,  {P,p)  ^  a  iff  {h{P),p)  ^ 

/H- 

Proof  We  define  the  PDL  structure  h[P)  as  follows:  the  set  of  worlds  IV 
of  h{P)  is  Rp,  and  the  mapping  ir'  :  PROP  -*  2^  is  given  by  n'{S)  =  {p  € 
Rp  I  ir(p,S]  =  1}.  For  each  participant  i,  the  meaning  of  e,  is  given  by 


and  finally 


P{t)  =  {(PyQ)  eRp  X  Rp  1  {p,q)  e  r}. 

It  is  easy  to  show  by  induction  on  the  complexity  of  o;  that  for  p  €  Rp , 
{P,p)\=a  ^  {h(P),p)\=J{a). 

We  leave  the  details  to  the  reader.  I 


Lemma  3.4  Given  a  PDL  structure  K  =  {W,p,Tr)  with  atomic  program 
symbols  t,  ei , . . . ,  c« ,  there  is  a  protocol  g(K)  with  n  =  max(s,  2)  participants 
and  a  surjection  tj  from  global  states  of  g{K)  to  worlds  of  K  such  that  for 
any  PTKL  formula  a  and  global  state  q,  {g{K),q)  ^  a  iff  {K,  Ti(q))  f=  /(a). 


Proof  For  !<»'<«,  let  =,•  be  the  reflexive,  symmetric,  and  transitive 
closure  of  /j(c,)  on  W  if  »  <  s,  and  let  =,  be  the  equality  relation  if  i  >  s. 
Let  [w],  denote  the  s,  equivalence  class  which  contains  w.  Let  M  =  |W|, 
and  let  w  :  {0, . . . ,  A/  -  1}  — ►  W  be  a  bijection. 

We  define  the  protocol  g{K)  =  (n,Q,I,T,jr')  as  follows.  Let 

Q  =  {([jj;],-,m)  I  w€H^,  1<»<R,  0<m<  M}. 

Define  the  map  q  :  Q'*  -*  W  by 

>7(((Hi,mi),([u/]2,m2),...,(H„,m„)))  =  ^(23 m,- mod  Af), 
and  let 


I  =  {q  GQ”  \  for  some  «;  e  IF,  mi, . . . ,  6  {0, . . . ,  M  —  1}, 

q  =  and  q[q)  =  w}. 

The  idea  here  b  that  in  /,  each  local  state  ([w],-,m,)  has  as  first  compo¬ 
nent  the  =,  equivalence  class  we  are  in  and  the  second  component  gives  no 
further  information  except  when  added  to  all  the  other  my’s,  in  which  case 
it  tells  us  exactly  which  world  we  are  in  and  thus  what  the  allowable  next 
moves  are. 

To  complete  the  definition  of  g{K)  let 

r  =  {(9,9'}  e  /  X  /  I  {q(q),q{q')) 


and  let 


TT'{q,S) 


1  if  v[q)  6  w(S) 
0  otherwise. 


Note  that  by  definition,  t  C  J  x  /  and  thus  Rg[K)  = 
For  any  H  C  PART,  let  =ff  =  (Uieff  =•)*• 


Fact  3.6  Let  p,p'  €  I  with  p  ~  p'.  Then  t]{p}  =h 


Proof  First  assume  H  =  {t}.  Let  p,p'  €  I  and  let  w  =  T}{p)  and  w'  =  ti(p')- 
Ifp  j/,  then  the  i*^  components  of  p  and  p*  are  the  same,  so  [id],  =  [w'],. 
Hence,  Ti{p)  =  w  =,•  w'  =  7j{p').  The  extension  to  arbitrary  H  follows  easily 

by  induction  on  the  minimal  r  such  that  (p,p')  6  (UigH  ~)  •  * 

Fact  3.6  Let  p&  I,  let  ri{p)  =  w  and  letw  =n  w'.  Then  there  exists  p'  €  I 
such  that  Ti{p')  =  w'  and  p  ~  p'. 

Proof  First  assume  H  =  {*},  and  let  p,  w,  and  w'  be  as  above.  We  may 
write  p  =  (([w]i,mi),..,,([w]„,m„)).  Choose  k  ^  i,  possible  since  n  >  2. 
Let  p'  =  where  m'j  =  mj  for  all  j  ^  k,  and 

choose  such  that  i?(p')  =  w'.  Thus,  p'  €  /,  and  since  [w'],  =  [w],  and 
m'j  =  mj,  we  have  p  ~  p'  as  desired.  The  extension  to  arbitrary  H  follows 
easily  by  induction  on  the  minimal  r  such  that  {w,w’)  6  (Uigff  =iT-  * 

Returning  to  the  proof  of  Lemma  3.4,  we  show  by  induction  on  the 
complexity  of  a  €  $  that  for  q  €  Rg{K)y 

\=  ^  {K,n(q))  ^  f{oi). 

The  only  interesting  case  is  when  a  =  Cn0.  Let  H  =  {ii,...,ir}  and 
9  €  Rg(K)-  Then 

(p(/f),9)  t=Cff/3 

for  all  p  e  Rj(ff),  if  9  ~  p  then  {g(K),p)  [=  /? 

(by  definition  of  Cfj) 

^  for  all  p  €  Rg(K)^  if  9(9)  =H  9(p)  then  (/l,  p(p))  |=  /(/?) 

(by  Facts  3.5  and  3.6  and  the  induction  hypothesis) 

<=>  for  all  w'  €  W.  if  9(9)  =n  w'  then  {K.w')  ^  /(/?) 

(since  9  is  surjective) 

(A', 9(9))  h  [(e,-,  ^e~  U...Ue~ )*]/(/?) 

(by  definition  of  =,  and  PDLC). 

This  completes  the  proof  of  Lemma  3.4  and  of  Theorem  3.1.  I 


6 


Corollary  3.7  The  satisfiability  problem  for  PTKL  is  decidable  in  EXP- 
TIME. 


Given  a  PTKL  formula  o,  let  H(oi)  be  the  set  of  participants  that  appear 
in  a.  More  precisely,  if  are  the  knowledge  operators  that 

appear  in  a,  then  H(a)  =  HiU. .  .U^Tr.  The  following  theorem  shows  that  if 
there  are  at  least  two  participants  mentioned  in  a  formula  then  adding  extra 
participants  not  mentioned  in  the  formula  cannot  affect  its  satisfiability. 
Note  that  this  is  nontrivial  because  the  truth  of  a  knowledge  formula  in  a 
particular  structure  can  be  affected  by  participants  not  mentioned  in  the 
formula. 

Theorem  3.8  Let  ot  be  a  satisfiahle  formula  of  PTKL.  Then  a  is  satisfiable 
in  a  protocol  P  =  (n,Q,/,r,7r}  in  which  n  =  max(lif(a)|, 2). 

Proof  Let  a  be  satisfiable  in  a  protocol  P,  and  let  n  =  max(lJif(a)|,2).  We 
will  show  that  a  is  satisfiable  in  a  protocol  with  n  participants.  By  Lemma 
3.3,  /(a)  is  satisfiable  in  the  PDL  structure  h{P).  But  f(a)  only  contains 
program  letters  t  and  e,-  for  i  €  H{q).  Hence,  f{a)  is  also  satisfiable  in  a 
PDL  structure  K  containing  only  the  relations  p(t)  and  p(e,)  for  i  €  H(a). 
By  Lemma  3.4,  a  is  satisfiable  in  the  protocol  g{K),  which  has  only  n 
participants.  I 


4  Hardness 

The  following  theorem  is  very  similar  to  the  corresponding  lower  bound  in 
[FL79].  Emerson  and  Halpern  [EH85]  already  point  out  that  this  theorem 
can  be  proved  in  this  way.  We  include  the  details  for  the  sake  of  complete¬ 
ness. 

Theorem  4.1  Let  M  be  an  ASPACE(n)  Turing  machine.  Then  there  is  a 
logspace  and  n\ogn  time  computable  function  d  :  {0,  l}‘  ^  such  that  M 

accepts  X  iff  d{x)  is  satisfiable.  Furthermore  the  operator  C  does  not  occur 
in  d{x). 

Proof 

An  instantaneous  description  (ID)  of  A/  for  an  input  of  length  n  will 
consists  of  n-t-  3  symbols  as  follows:  a  left  end-marker  <,  n  tape  cells,  a  state 


symbol  q  €  Q\f  located  immediately  to  the  left  of  the  cell  being  examined 
by  A/’s  head,  and  a  right  end-marker  >.  Let  Va/  C  Q\f  be  the  set  of  M's 
universal  states  and  let  Am  be  A/’s  tape  alphabet.  Let  S  =  QmUAa/U{<,>} 
be  the  alphabet  of  all  possible  symbols  in  an  ID  of  M.  We  will  assume 
without  loss  of  generality  that  M  has  a  clock  which  causes  each  computation 
branch  to  enter  the  unique  rejecting  state,  after  c"  steps.  We  will 

also  assume  that  there  is  a  unique  accepting  state, 

Given  an  input  x  €  {0,1}",  we  let  PROP  =  {«t,  j  cr  €  E  and  —  1  <  i  < 
n-t- 1}.  We  will  let  d(x)  be  the  conjunction  of  the  following  PTKL  formulas. 
Intuitively  d{x)  will  assert  that  each  reachable  global  state  determines  an 
ID  of  A/,  that  in  particular  the  current  global  state  determines  M's  initial 
ID  on  input  x,  that  every  global  state  leads  in  a  next  time  step  to  at  least 
one  global  state  whose  ID  is  a  valid  next  move  of  M,  that  every  global  state 
corresponding  to  a  universal  ID  leads  in  next  time  steps  to  each  of  the  two 
possible  ne.xt  moves  of  A/,  and  that  the  reject  state  ner'er  occurs.  It  thus 
follows  that  d(x)  is  satisfiable  if  and  only  if  M  accepts  x. 

•  <5(A,"=ii  "’Pi))  A  G(<_i  A  >„+]),  i.e.  each  cell  i  always 

contains  exactly  one  symbol  of  S,  and  the  end-markers  are  fixed. 

•  90*'*’^*  A  {A,:i,=oOi)  A  (A,:i;=i  i-e-  the  initial  ID  is  g*'"’"'  followed  by 

X. 

•  <^(Aa,)9,7«QM  A"=o('3;i-i  aA  A7,+i  —  K/?,)),  i.e.  a  cell  not  bordered 
by  a  state  symbol  is  always  preserved. 

•  <5(A^e<?.v  Ar=o(«<-iA/?iA7,+i  '^K-iA/^'A^J+i  V 

i.e.  there  is  a  next  step  that  reflects  at  least  one  of  the  possible  next 
moves  of  A/. 

•  ^(A;jev„  Ar=o(»i-i  A  /?,  A  7,+i  ^  .Y(a|_i  A  0l  A  7,'^j)  A  A 

J'i  A  7r+i))'  "’hen  we’re  in  a  universal  state  there  are  next  steps 
reflecting  each  of  the  two  possible  next  moves. 

•  G(A"=o  i-e-  we  never  enter  the  rejecting  state. 

It  is  not  hard  to  verify  that  d{x)  meets  the  required  conditions.  I 


Corollary  4.2  The  satisfiability  problem  for  PTKL  is  EXPTIME  complete 
even  with  only  one  participant  and  no  occurrences  of  Cu . 
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